IETF Logo Mail Archive

Re: [lamps] draft-housley-lamps-norevavail-00

Russ Housley <housley@vigilsec.com> Fri, 19 May 2023 19:56 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 322F1C15152C for <spasm@ietfa.amsl.com>; Fri, 19 May 2023 12:56:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oti9GFy52RSV for <spasm@ietfa.amsl.com>; Fri, 19 May 2023 12:55:57 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54D06C151069 for <spasm@ietf.org>; Fri, 19 May 2023 12:55:57 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 9EDE111F3F7; Fri, 19 May 2023 15:55:56 -0400 (EDT)
Received: from [192.168.1.161] (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 7CD9E11F529; Fri, 19 May 2023 15:55:56 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <D18F7C58-EC30-4640-9AB7-94E428B79F62@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_24FE6DC3-FA68-47FE-A256-AC712C698885"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Fri, 19 May 2023 15:55:56 -0400
In-Reply-To: <a2122a10-fdfd-aabc-5c3c-242d90bd4175@gmail.com>
Cc: LAMPS <spasm@ietf.org>
To: Seo Suchan <tjtncks@gmail.com>
References: <168444309553.24047.14923062710269229403@ietfa.amsl.com> <E2BE1DCD-A241-4DDF-A5EC-DD3209C4CDA2@vigilsec.com> <a2122a10-fdfd-aabc-5c3c-242d90bd4175@gmail.com>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/W1rIOqdXniCGkk6c4KwNiLX7qB8>
Subject: Re: [lamps] draft-housley-lamps-norevavail-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2023 19:56:01 -0000

Seo:

id-pkix-ocsp-nocheck is to avoid asking an OCSP Responder for status for its own certificate.

Russ


> On May 19, 2023, at 3:47 PM, Seo Suchan <tjtncks@gmail.com> wrote:
> 
> I thought id-pkix-ocsp-nocheck already remove revocation check, but realized that's only for ocsp check - clients seeing certs with id-pkix-ocsp-nocheck extension expected to check CRL for that certificate? only thing it currently used is for designated OCSP responder(for root iirc?). and don't think it runs CRL for it.
> 
> 2023-05-19 오전 6:23에 Russ Housley 이(가) 쓴 글:
>> I want the LAMPS WG to be aware of this I-D.  However, I do not think we should adopt it until the event predicted in the History section actually comes to pass:
>> 
>>    With greater use of short-lived certificates in the Internet, the
>>    next revision of ITU-T Recommendation X.509 [X.509-TBD] is expected
>>    to allow the noRevAvail certificate extension to be used with public
>>    key certificates as well as attribute certificates.
>> 
>> Russ
>> 
>> 
>>> From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>>> Subject: New Version Notification for draft-housley-lamps-norevavail-00.txt
>>> Date: May 18, 2023 at 4:51:35 PM EDT
>>> To: "Joseph Mandel" <joe.mandel@secureg.io <mailto:joe.mandel@secureg.io>>, "Russ Housley" <housley@vigilsec.com <mailto:housley@vigilsec.com>>, "Tomofumi Okubo" <tomofumi.okubo+ietf@gmail.com <mailto:tomofumi.okubo+ietf@gmail.com>>
>>> 
>>> 
>>> A new version of I-D, draft-housley-lamps-norevavail-00.txt
>>> has been successfully submitted by Russ Housley and posted to the
>>> IETF repository.
>>> 
>>> Name:		draft-housley-lamps-norevavail
>>> Revision:	00
>>> Title:		No Revocation Available for Short-lived X.509 Certificates
>>> Document date:	2023-05-18
>>> Group:		Individual Submission
>>> Pages:		8
>>> URL:            https://www.ietf.org/archive/id/draft-housley-lamps-norevavail-00.txt <https://www.ietf.org/archive/id/draft-housley-lamps-norevavail-00.txt>
>>> Status:         https://datatracker.ietf.org/doc/draft-housley-lamps-norevavail/ <https://datatracker.ietf.org/doc/draft-housley-lamps-norevavail/>
>>> Html:           https://www.ietf.org/archive/id/draft-housley-lamps-norevavail-00.html <https://www.ietf.org/archive/id/draft-housley-lamps-norevavail-00.html>
>>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-housley-lamps-norevavail <https://datatracker.ietf.org/doc/html/draft-housley-lamps-norevavail>
>>> 
>>> 
>>> Abstract:
>>>   Short-lived X.509v3 public key certificates as profiled in RFC 5280
>>>   are seeing greater use in the Internet.  The Certification Authority
>>>   (CA) that issues these short-lived certificates do not publish
>>>   revocation information because the certificate lifespan that is
>>>   shorter than the time needed to detect, report, and distribute
>>>   revocation information.  This specification defines the noRevAvail
>>>   certificate extension so that a relying party can readily determine
>>>   that the CA does not publish revocation information for the
>>>   certificate.
>> 
>> 
>> _______________________________________________
>> Spasm mailing list
>> Spasm@ietf.org <mailto:Spasm@ietf.org>
>> https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>

v2.23.0 | Report a Bug | By Email